Patent Application
20240015011
This application claims the priority benefit of China application no. 202210788295.8, filed on Jul. 6, 2022. The entirety of the above-mentioned patent application is hereby incorporated by reference and made a part of this specification.
The invention relates to a multiplier, in particular to a parallel multiplier for the Saber algorithm.
Public keys are widely used in important fields such as information network security and national defense security, and the security of the public key system relies on mathematical problems, such as RSA based on integer prime factorization and ECC based on discrete logarithm problems. However, with the development of quantum computation, the Shor algorithm and the Grover search algorithm will destroy the security of the public key encryption system and symmetric encryption. Novel public key schemes capable of defending against quantum attacks, namely post-quantum cryptography (PQC), attract the interest of cryptographers.
The Saber algorithm based on Module Learning with Rounding is one of the novel public key schemes capable of defending against quantum attacks, and modulo multiplication on a polynomial quotient ring in the Saber algorithm ensures that the Saber algorithm has the function of defending against quantum attacks. However, the modulo multiplication existing in the key generation stage, the encryption stage and the decryption stage of the Saber algorithm will lead to the problem of excessive operation expenditure, that is, the efficiency of modulo multiplication directly restricts the operational performance of the Saber algorithm. Since the standardization of PQC, the modular multiplication efficiency is studied based on the Schoolbook, Toom-Cook and Karatsuba to overcome the defects of the Saber algorithm in modulo multiplication efficiency. Basso et al. realized three multipliers with different properties by reducing the area expenditure based on convenient Schoolbook multiplication and the mechanism of centralized multiplication of multinomial coefficients. However, these three multipliers are high in computation complexity and low in computation speed. Mera et al. proposed a precomputation-based interpolation technique to reduce the expenditure of memory resources and realized a low-computation complexity multiplication architecture based on the Toom-Cook algorithm. This scheme reduces the computation complexity. However, since it is realized by software, compared with multiplication architectures realized by hardware circuits, the computation speed of this scheme is still unsatisfying although it has been increased to some extent. Tan et al. designed a high-speed parallel modulo multiplication unit by selecting suitable prime numbers to decrease the bit width of data based on the Karatsuba algorithm, but the modulus needs to be a prime number, which constrains this scheme. Zhu et al. improved the computation efficiency of modulo multiplication by multi-layer calling of the Karatsuba algorithm, but extra circuit area expenditure will be caused by repeated calling of the Karatsuba algorithm.
The technical issue to be settled by the invention is to provide a parallel multiplier for the Saber algorithm, which is implemented by hardware, low in computation complexity, not limited by the constraint that the modulus is a prime number, and small in circuit area expenditure.
The technical solution adopted by the invention to settle the above technical issue is as follows: a parallel multiplier for the Saber algorithm comprises a coefficient memory, two parallel pre-adding circuits, three parallel multiplication circuits and a post-adding circuit, wherein the coefficient memory has a coefficient input terminal, a clock input terminal and a coefficient output terminal, the coefficient input terminal of the coefficient memory, as a data input terminal of the parallel multiplier, is used for inputting coefficient data for modulo multiplication of two polynomials, the clock input terminal of the coefficient memory, as a clock input terminal of the parallel multiplier, is used for inputting a clock signal CLK, the two parallel pre-adding circuits are referred to as a first parallel pre-adding circuit and a second parallel pre-adding circuit respectively, the three parallel multiplication circuits are referred to as a first parallel multiplication circuit, a second parallel multiplication circuit and a third parallel multiplication circuit respectively, the first parallel pre-adding circuit has two input ports and a data output port, the second parallel pre-adding circuit has two input ports and a data output port, the first parallel multiplication circuit and the second parallel multiplication circuit each have an input port and an output port, the third parallel multiplication circuit has two input ports and an output port, the post-adding circuit has three input ports and an output port, the two input ports of the first parallel pre-adding circuit and the two input ports of the second parallel pre-adding circuit are connected to the coefficient output terminal of the coefficient memory, the input port of the first parallel multiplication circuit and the input port of the second parallel multiplication circuit are connected to an output port of the coefficient memory, the two input ports of the third parallel multiplication circuit are connected to the output port of the first parallel pre-adding circuit and the output port of the second parallel pre-adding circuit in a one-to-one correspondence manner, the output port of the first parallel multiplication circuit, the output port of the second parallel multiplication circuit and the output port of the third parallel multiplication circuit are connected to the three input ports of the post-adding circuit in a one-to-one correspondence manner, and the output port of the post-adding circuit, as an output terminal of the parallel multiplier, is used for outputting a final result (OUT);
When two polynomials are input to the input terminal of the parallel multiplier, the parallel multiplier multiplies coefficients of the polynomials specifically through the following steps:
S1: Loading the two polynomials into the coefficient memory, and denoting the two polynomials as a polynomial S and a polynomial A respectively, wherein the polynomial S comprises 256 coefficients, the coefficient of an fth term (the fth coefficient) of the polynomial S is denoted as sf−1, f=1, 2, . . . , 256, sf−1 is an integer, sf−1∈[−4, 4], a vector formed by the 256 coefficients of the polynomial S is (s0, s1 . . . , s255), a vector (s128, s129, . . . , s255) formed by the first 128 coefficients of the polynomial S is denoted as SH, a vector (s0, s1, . . . , s127) formed by the last 128 coefficients of the polynomial S is denoted as SL, an nth data in SL is denoted as SLn, SLn=sn−1, n=1, 2, . . . , 128, an nth data in SH is denoted as SHn, and SHn=Sn+127; the polynomial A comprises 256 coefficients, each coefficient has a bit width of 16bits, of which 13bits or 10bits are significant bits and the other 3bits or 6bits are used for data completion and coefficient alignment, the bit width of the data is set to 16bits to ensure that read 64bits data of the polynomial A includes four consecutive coefficients, the coefficient of an fth term (the fth coefficient) of the polynomial A is denoted as af−1, af−1 is an integer, af−1∈[0, 8191], a vector formed by the 256 coefficients of the polynomial A is (a0, a1, . . . , a255), a vector (a128, a129, . . . , a255) formed by the first 128 coefficients of the polynomial A is denoted as AH, a vector (a0, a1, . . . , a127) formed by the last 128 coefficients of the polynomial A is denoted as AL, an mth data in AL is denoted as ALm, ALm=am−1, m=1, 2, . . . , 128, and an mth data in AH is denoted as AHm, and AHm=am+127;
S2: Through the output terminal of the coefficient memory, according to a preset time sequence under the control of the clock signal CLK, outputting AH and AL to the first parallel pre-adding circuit, outputting SH and SL to the second parallel pre-adding circuit, outputting AH and SH to the first parallel multiplication circuit, and outputting AL and SL to the second parallel multiplication circuit;
Processing AH and AL by the first parallel pre-adding circuit according to formula (1) to obtain a result RA, which is output to the third parallel multiplication circuit through the output port of the first parallel pre-adding circuit:
ra
m−1=(AHm+ALm)mod 8192 (1)
Where, mod is a modulo operator, mod 8192 represents an 8192 modulo operation performed on (AHm+ALm), ram−1 is an mth data in RA, and RA includes 128 data (ra0, ra1, . . . , ra127);
Processing SH and SL by the second parallel pre-adding circuit according to formula (2) to obtain a result RS, which is output to the third parallel multiplication circuit through the output port of the second parallel pre-adding circuit:
rs
n−1=(SHn+SLn) (2)
Where, rsn−1 is an nth data in RS, and RS includes 128 data (rs0, rs1, . . . , rs127);
S3: Processing AH and SH by the first parallel multiplication circuit through the following steps to obtain an output result P0, which is output to the post-adding circuit:
S3.1: setting a round variable k and an intermediate vector T including 255 data, wherein T=(t1_0, t1_1, . . . , t1_254), t1_j is a (j+1)th data in T, and j=0, 1, 2, . . . , 254; k and T are initialized to k=1, t1_j=0;
S3.2: performing a kth round of shift accumulation, which specifically comprises:
S3.2.1: setting an intermediate vector Rk, and calculating each data in the intermediate vector Rk according to formula (3):
r
k_n−1
=A
Hk
×S
Hn (3)
Where, rk_n−1 is an nth data in Rk, and Rk includes 128 data (rk_0, rk_1, . . . , rk_127);
S3.2.2: setting an intermediate P0k including 255 data, P0k=(pk_0, pk_1, . . . , pk_254), where pk_j is a (j+1)th data in P0k;
When k=1, pk_d=t1_d+rk_d, pk_b=t1_b, where d=0, 1, 2, . . . , 127, b=128, 129, . . . 254, and the values of t1_d and t1_b are current latest values;
When 2≤k<128, pk_0=t1_0, . . . , pk_k−2=t1_k−2; pk_k−1=t1_k−1+rk_0, pk_k=t1_k+rk_1, . . . , pk_k+126=t1_k+126+rk_127; pk_k+127=t1_k+127, . . . pk_254=t1_254, where the value of t1_j is a current latest value;
When k=128, pk_e=t1_e+rk_e, pk_g=t1_g, where e=0, 1, 2, . . . , 126, g=127, 128, . . . , 254, and the values of t1_e and t1_g are current latest values;
S3.2.3: updating each data in the intermediate vector T; t1_j=pk_j;
S3.3: determining whether the value of k is equal to 128; in response the value of k being not equal to 128, updating the value of k to the sum of a current value of k and 1, and then returning to S3.2 to perform the next round of shift accumulation; in response the value of k being equal to 128, setting p128_j=pj′ and outputting result P0=(p0′, p1′, . . . , p254′), where pj′ is a (j+1)th data in P0;
Processing AL and SL by the second parallel multiplication circuit through the following steps to obtain an output result P1, which is output to the post-adding circuit:
S3.4: setting a round variable ba and an intermediate variable U including 255 data, where U=(u1_0, u1_1, . . . , u1_254), and u1_j is a (j+1)th data in U; ba and U are initialized to ba=1, u1_j=0;
S3.5: performing a bath round of shift accumulation, which specifically comprises:
S3.5.1: setting an intermediate vector Vba, and calculating each data in the intermediate vector Vba according to formula (4):
v
ba_n−1
=A
Lba
×S
Ln (4)
Where, vba_n−1 is an nth data in Vba, and Vba includes 128 data (vba_0, vba_1, . . . , vba_127);
S3.5.2: setting an intermediate vector P1ba including 255 data, P1ba=(cba_0, cba_1, . . . , cba_254), where cba_j is a (j+1)th data in P1ba;
When ba=1, cba_da=u1_da+vba_da, cba_bb=u1_bb, where da=0, 1, 2, . . . , 127, bb=128, 129, . . . , 254, and the values of u1_da and u1_bb are current latest values;
When 2≤ba<128, cba_0=u1_0, . . . , cba_ba−2=u1_ba−2; cba_ba−1=u1_ba−1+vba_0, cba_ba=u1_ba+vba_1, . . . , cba_ba+126=u1_ba+126+vba_127; cba_ba+127=u1_ba+127, . . . , cba_254=u1_254, where the value of u1_j is a current latest value;
When ba=128, cba_bc=u1_bc+vba_bc cba_bd=u1_bd, where bc=0, 1, 2, . . . , 126, bd=127, 128, . . . , 254, and the values of u1_bc and u1_bd are current latest values;
S3.5.3: each data in the intermediate vector U is updated, u1_j=cba_j;
S3.6: determining whether the value of ba is equal to 128; in response the value of ba being not equal to 128, updating the value of ba to the sum of a current value of ba and 1, and then returning to S3.5 to perform the next round of shift accumulation; in response the value of ba being equal to 128, setting c128_j=pj″ and outputting result P1=(p0″, p1″, . . . , p254″), where pj″ is a (j+1)th data in P1;
Processing RA and RS by the third parallel multiplication circuit through the following steps to obtain an output result P2, which is output to the post-adding circuit:
S3.7: setting a round variable bf and an intermediate vector W including 255 data, where W=(w1_0, w1_1, . . . , w1_254), and w1_j is a (j+1)th data in W; bf and W are initialized to bf=1, w1_j=0;
S3.8: performing a bfth round of shift accumulation, which specifically comprises:
S3.8.1: setting an intermediate vector Ybf, and calculating each data in the intermediate vector Ybf according to formula (5):
y
bf_n−1
=R
Abf
×R
Sn (5)
Where, ybf_n−1 is an nth data in Ybf, and Ybf includes 128 data (ybf_0, ybf_1, . . . , ybf_127); RAbf is a bfth data in RA, and RSn is an nth data in RS;
S3.8.2: setting an intermediate vector P2bf including 255 data, P2bf=(ebf_0, ebf_1, . . . , ebf_254), where ebf_j is a (j+1) data in P2bf;
When bf=1, ebf_bg=w1_bg+ybf_bg, ebf_bm=w1_bm, where bg=0, 1, 2, . . . , 127, bm=128, 129, . . . , 254, and the values of w1_bg and w1_bm are current latest values;
When 2≤bf<128, ebf_0=w1_0, . . . , ebf_bf−2=w1_bf−2; ebf_bf−1=w1_bf−1+ybf_0, ebf_bf=w1_bf+ybf_1, . . . , ebf_bf+126=w1_bf+126+ybf_127; ebf_bf+127=w1_bf+127, . . . , ebf_254=w1_254, where the value of w1_j is a current latest value;
When bf=128, ebf_bn=w1_bn+ybf_bn, ebf_bp=w1_bp, where bn=0, 1, 2, . . . 126, bp=127, 128, . . . , 254, and the values of w1_bn and w1_bp are current latest values;
S3.8.3: updating each data in the intermediate vector W, w1_j=ebf_j;
S3.9: determining whether the value of bf is equal to 128; in response the value of bf being not equal to 128, updating the value of bf to the sum of a current value of bf and 1, and then returning to S3.8 to perform the next round of shift accumulation; in response the value of bf being equal to 128, setting e128_j=pj′″ and outputting result P2=(p0′″, p1′″, . . . , p254′″), where pj′″ is a (j+1)th data in P2;
S4: processing P2, P1 and P0 by the post-adding circuit through the following steps to obtain and output the final operation result OUT, which specifically comprises:
S4.1: setting an intermediate vector Tmp0 including 255 data, and calculating each data in the intermediate vector Tmp0 according to formula (6):
tmp0_j=pj″−pj′ (6)
Where, tmp0_j is a (j+i)th data in Tmp0, and Tmp0 includes 255 data (tmp0_0, tmp0_1, . . . , tmp0_254);
S4.2: setting an intermediate vector Tmp1 including 255 data, and calculating each data in the intermediate vector Tmp1 according to formula (7):
tmp1_j=pj′″−pj″−pj′ (7)
Where, tmp1_j is a (j+1)th data in Tmp1, and Tmp1 includes 255 data (tmp1_0, tmp1_1, . . . , tmp1_254);
S4.3: calculating each data in OUT according to formula (8), formula (8), formula (10) and formula (11):
outloop1=tmp0_loop1−tmp1_loop1+128 (8)
outloop2=tmp0_loop2−tmp1_loop2−128 (9)
out127=tmp0_127 (10)
out255=tmp1_127 (11)
Where, loop1=0, 1, . . . , 126; loop2=128, 129, . . . , 254; OUT includes 256 data (out0, out1, . . . , out255).
Compared with the prior art, the invention has the following beneficial effects: the parallel multiplier for the Saber algorithm is formed by a coefficient memory, two parallel pre-adding circuits, three parallel multiplication circuits and a post-adding circuit, the coefficient memory, the two parallel pre-adding circuits, the three parallel multiplication circuits and the post-adding circuit adopt a divide-and-conquer strategy, the two parallel pre-adding circuits perform parallel computation, and the three parallel multiplication circuits perform parallel computation, such that the computation time of modulo multiplication is shorted; the modulo operation of non-prime numbers is realized by limiting the bit width, such that the constraint that the modulus is a prime number is avoided; and the Karatsuba algorithm is called once, such that extra circuit area expenditure is reduced. Thus, the parallel multiplier for the Saber algorithm is implemented by hardware, low in computation complexity, not limited by the constraint that the modulus is a prime number, and low in circuit area expenditure.
The invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.
Embodiment: As shown in
When two polynomials are input to the input terminal of the parallel multiplier, the parallel multiplier multiplies coefficients of the polynomials specifically through the following steps:
S1: The two polynomials are loaded into the coefficient memory, and the two polynomials is denoted as a polynomial S and a polynomial A respectively, wherein the polynomial S comprises 256 coefficients, the coefficient of an fth term (the fth coefficient) of the polynomial S is denoted as sf−1, f=1, 2, . . . , 256, sf−1 is an integer, sf−1∈[−4, 4], a vector formed by the 256 coefficients of the polynomial S is (s0, s1 . . . , s255), a vector (s128, s129, . . . , s255) formed by the first 128 coefficients of the polynomial S is denoted as SH, a vector (s0, s1, . . . , s127) formed by the last 128 coefficients of the polynomial S is denoted as SL, an nth data in SL is denoted as SLn, SLn=sn−1, n=1, 2, . . . , 128, an nth data in SH is denoted as SHn, and SHn=Sn+127; the polynomial A comprises 256 coefficients, each coefficient has a bit width of 16bits, of which 13bits or 10bits are significant bits and the other 3bits or 6bits are used for data completion and coefficient alignment, the bit width of the data is set to 16bits to ensure that read 64bits data of the polynomial A includes four consecutive coefficients, the coefficient of an fth term (the fth coefficient) of the polynomial A is denoted as af−1, af−1 is an integer, af−1∈[0, 8191], a vector formed by the 256 coefficients of the polynomial A is (a0, a1, . . . , a255), a vector (a128, a129, . . . , a255) formed by the first 128 coefficients of the polynomial A is denoted as AH, a vector (a0, a1, . . . , a127) formed by the last 128 coefficients of the polynomial A is denoted as AL, an mth data in AL is denoted as ALm, ALm=am−1, m=1, 2, . . . , 128, and an mth data in AH is denoted as AHm, and AHm=am+127;
S2: From the output terminal of the coefficient memory, AH and AL are output to the first parallel pre-adding circuit, SH and SL are output to the second parallel pre-adding circuit, AH and SH are output to the first parallel multiplication circuit, and AL and SL are output to the second parallel multiplication circuit, through the output port of the coefficient memory according to a preset time sequence under the control of the clock signal CLK;
As shown in
ra
m−1=(AHm+ALm)mod 8192 (1)
Where, mod is a modulo operator, mod 8192 represents an 8192 modulo operation performed on (AHm+ALm), ram−1 is an mth data in RA, and RA includes 128 data (ra0, ra1, . . . , ra127);
As shown in
rs
n−1=(SHn+SLn) (2)
Where, rsn−1 is an nth data in RS, and RS includes 128 data (rs0, rs1, . . . , rs127);
S3: As shown in
S3.1: a round variable k and an intermediate vector T including 255 data are set, wherein T=(t1_0, t1_1, . . . , t1_254), t1_j is a (j+1)th data in T, and j=0, 1, 2, . . . , 254; k and T are initialized to k=1, t1_j=0;
S3.2: a kth round of shift accumulation is performed, specifically:
S3.2.1: an intermediate vector Rk is set, and each data in the intermediate vector Rk is calculated according to formula (3):
r
k_n−1
=A
Hk
×S
Hn (3)
Where, rk_n−1 is an nth data in Rk, and Rk includes 128 data (rk_0, rk_1, . . . , rk_127);
S3.2.2: an intermediate P0k including 255 data is set, P0k=(pk_0, pk_1, . . . , pk_254), where pk_j is a (j+1)th data in P0k;
When k=1, pk_d=t1_d+rk_d, pk_b=t1_b, where d=0, 1, 2, . . . , 127, b=128, 129, . . . , 254, and the values of t1_d and t1_b are current latest values;
When 2≤k<128, pk_0=t1_0, . . . , pk_k−2=t1_k−2; pk_k−1=t1_k−1+rk_0, pk_k=t1_k+rk_1, . . . , pk_k+126=t1_k+126+rk_127; pk_k+127=t1_k+127, . . . pk_254=t1_254, where the value of t1_j is a current latest value;
When k=128, pk_e=t1_e+rk_e, pk_g=t1_g, where e=0, 1, 2, . . . , 126, g=127, 128, . . . 254, and the values of t1_e and t1_g are current latest values;
S3.2.3: each data in the intermediate vector T is updated, t1_j=pk_j;
S3.3: whether the value of k is equal to 128 is determined; in response the value of k being not equal to 128, the value of k is updated to the sum of a current value of k and 1, and then S3.2 is executed to perform the next round of shift accumulation; in response the value of k being equal to 128, setting p128_j=pj′ and outputting result P0=(p0′, p1′, . . . , p254′), where pj′ is a (j+1)th data in P0;
As shown in
S3.4: a round variable ba and an intermediate variable U including 255 data are set, where U=(u1_0, u1_1, . . . , u1_254), and u1_j is a (j+1)th data in U; ba and U are initialized to ba=1, u1_j=0;
S3.5: a bath round of shift accumulation is performed, specifically:
S3.5.1: an intermediate vector Vba is set, and each data in the intermediate vector Vba is calculated according to formula (4):
v
ba_n−1
=A
Lba
×S
Ln (4)
Where, vba_n−1 is an nth data in Vba, and Vba includes 128 data (vba_0, vba_1, . . . , vba_127);
S3.5.2: an intermediate vector P1ba including 255 data is set, P1ba=(cba_0, cba_1, . . . , cba_254), where cba_j is a (j+1)th data in P1ba;
When ba=1, cba_da=u1_da+vba_da, cba_bb=u1_bb, where da=0, 1, 2, . . . , 127, bb=128, 129, . . . , 254, and the values of u1_da and u1_bb are current latest values;
When 2≤ba<128, cba_0=u1_0, . . . , cba_ba−2=u1_ba−2; cba_ba−1=u1_ba−1+vba_0, cba_ba=u1_ba+vba_1, . . . , cba_ba+126=u1_ba+126+vba_127; cba_ba+127=u1_ba+127, . . . , cba_254=u1_254, where the value of u1_j is a current latest value;
When ba=128, cba_bc=u1_bc+vba_bc cba_ba=u1_ba, where bc=0, 1, 2, . . . , 126, bd=127, 128, . . . , 254, and the values of u1_bc and u1_bd are current latest values;
S3.5.3: each data in the intermediate vector U is updated, u1_j=cba_j;
S3.6: whether the value of ba is equal to 128 is determined; in response the value of ba being not equal to 128, the value of ba is updated to the sum of a current value of ba and 1, and then S3.5 is executed to perform the next round of shift accumulation; in response the value of ba being equal to 128, setting c128_j=pj″ and outputting result P1=(p0″, p1″, . . . , p254″), where pj″ is a (j+1)th data in P1;
As shown in
S3.7: a round variable bf and an intermediate vector W including 255 data are set, where W=(w1_0, w1_1, . . . , w1_254), and w1_j is a (j+1)th data in W; bf and W are initialized to bf=1, w1_j=0;
S3.8: a bfth round of shift accumulation is performed, specifically:
S3.8.1: an intermediate vector Ybf is set, and each data in the intermediate vector Ybf is calculated according to formula (5):
y
bf_n−1
=R
Abf
×R
Sn (5)
Where, ybf_n−1 is an nth data in Ybf, and Ybf includes 128 data (ybf_0, ybf_1, . . . , ybf_127); RAbf is a bfth data in RA, and RSn is an nth data in RS;
S3.8.2: an intermediate vector P2bf including 255 data is set, P2bf=(ebf_0, ebf_1, . . . , ebf_254), where ebf_j is a (j+1) data in P2bf.
When bf=1, ebf_bg=w1_bg+ybf_bg, ebf_bm=w1_bm, where bg=0, 1, 2, . . . , 127, bm=128, 129, . . . , 254, and the values of w1_bg and w1_bm are current latest values;
When 2≤bf<128, ebf_0=w1_0, . . . , ebf_bf−2=w1_bf−2; ebf_bf−1=w1_bf−1+ybf_0, ebf_bf=w1_bf+ybf_1, . . . , ebf_bf+126=w1_bf+126+ybf_127; ebf_bf+127=w1_bf+127, . . . , ebf_254=w1_254, where the value of w1_j is a current latest value;
When bf=128, ebf_bn=w1_bn+ybf_bn, ebf_bp=W1_bp, where bn=0, 1, 2, . . . 126, bp=127, 128, . . . , 254, and the values of w1_bn and w1_bp are current latest values;
S3.8.3: each data in the intermediate vector W is updated, w1_j=ebf_j;
S3.9: whether the value of bf is equal to 128 is determined; in response the value of bf being not equal to 128, the value of bf is updated to the sum of a current value of bf and 1, and then S3.8 is executed to perform the next round of shift accumulation; in response the value of bf being not equal to 128, setting e128_j=pj′″ and outputting result P2=(p0′″, p1′″, . . . , p254′″), where pj′″ is a (j+1)th data in P2;
S4: The post-adding circuit processes P2, P1 and P0 through the following steps to obtain and output the final operation result OUT, specifically:
S4.1: an intermediate vector Tmp0 including 255 data is set, and each data in the intermediate vector Tmp0 is calculated according to formula (6):
tmp0_j=pj″−pj′ (6)
Where, tmp0_j is a (j+i)th data in Tmp0, and Tmp0 includes 255 data (tmp0_0, tmp0_1, . . . , tmp0_254);
S4.2: an intermediate vector Tmp1 including 255 data is set, and each data in the intermediate vector Tmp1 is calculated according to formula (7):
tmp1_j=pj′″−pj″−pj′ (7)
Where, tmp1_j is a (j+1)th data in Tmp1, and Tmp1 includes 255 data (tmp1_0, tmp1_1, . . . , tmp1_254);
S4.3: each data in OUT is calculated according to formula (8), formula (8), formula (10) and formula (11):
outloop1=tmp0_loop1−tmp1_loop1+128 (8)
outloop2=tmp0_loop2−tmp1_loop2−128 (9)
out127=tmp0_127 (10)
out255=tmp1_127 (11)
Where, loop1=0, 1, . . . , 126; loop2=128, 129, . . . , 254; OUT includes 256 data (out0, out1, . . . , out255).
The simulation oscillogram of the time sequence of the parallel multiplier for the Saber algorithm provided by the invention is shown in
The area proportions of the modules of the parallel multiplier for the Saber algorithm provided by the invention are shown in
| Number | Date | Country | Kind |
|---|---|---|---|
| 202210788295.8 | Jul 2022 | CN | national |
